Why does the Neutron documentation recommend three interfaces?

Before you start, set up a machine to be a dedicated network node.
Dedicated network nodes should have the following NICs: the
management NIC (called MGMT_INTERFACE), the data NIC (called
DATA_INTERFACE), and the external NIC (called EXTERNAL_INTERFACE).

People occasionally ask, “why three interfaces? What if I only have
two?“, so I wanted to provide an extended answer that might help
people understand what the interfaces are for and what trade-offs are
involved in using fewer interfaces.

The MGMT_INTERFACE is used for communication between nodes. This
can include traffic from services to the messaging server (qpid,
rabbitmq, etc), traffic between nova and neutron, connections to the
database, and other traffic used to manage your OpenStack environment.

The DATA_INTERFACE is used for instance traffic…that is, traffic
generated by or inbound to instances running in your OpenStack
environment. If you are using GRE or VXLAN tunnels your tunnel
endpoints will be associated with this interface.

The EXTERNAL_INTERFACE is used to provide public access to your
instances. The network attached to this interface is generally open
to external traffic, and ip addresses are managed by the floating-ip
functionality in Neutron or Nova.

You want your MGMT_INTERFACE seperate from your DATA_INTERFACE
in order to avoid accidentally granting management access to your
OpenStack hosts to your tenants. A typical OpenStack environment
may not use authentication in all cases, and a tenant host with
access to the management network could intentionally or accidentally
cause problems.

You want your EXTERNAL_INTERFACE separate from your
DATA_INTERFACE because your network controller must be acting as
a router between these two interfaces in order for the netfilter
PREROUTING and POSTROUTING rules to activate. These rules are
used to map floating ip addresses to internal addresses via SNAT
and DNAT rules, which only work packets traverse the FORWARD
chain.

You want your MGMT_INTERFACE separate from your
EXTERNAL_INTERFACE because they have dramatically different access
requirements. Your MGMT_INTERFACE should typically only be
available to other hosts in your OpenStack deployment, while your
EXTERNAL_INTERFACE will generally require much broader access.

If you are deploying a proof-of-concept (POC) deployment to which you
are not actually providing public access, you can elect to not have an
EXTERNAL_INTERFACE. Rather than adding this device to br-ex, you
will set up outbound NAT rules so that “external” traffic from your
instances will masquerade using the primary ip address of your network
controller.